Australian Privacy Act Gets New Notification Requirements

Get the latest security news in your inbox.

With GDPR the focus of many press headlines across the world, you’d think it was the first and only regulation covering the privacy of individuals! However, privacy regulations exist in numerous countries around the globe, and anyone in Australia or its territories will be all-too familiar with the Australian Privacy Act 1988 (which, for simplicity, I'll just refer to as 'the Privacy Act' from this point forward).

Governed by the Office of the Australian Information Commissioner (OAIC), the Privacy Act introduces 13 Privacy Principles (known as Australian Privacy Principles, or APPs) that guide how the personal information of Australian subjects must be managed. Failure to protect personal information is deemed, “...an interference with the privacy of an individual,” with financial penalties that can go up to AUD$360,000 for individuals, and up to AUD$1.8M for organizations.

What’s top of mind for many who are subject to the Privacy Act is a new amendment -- the Privacy Amendment (Notifiable Data Breaches) Act of 2017. Inspired by the proliferation of personal information stored in electronic form, such as social media content, healthcare records, and more, the amendment acknowledges the increasing risk (and occurrences) relating to breaches of that data.

Starting 22 February 2018, the amendment introduces the Notifiable Data Breaches (NDB) scheme. This requires organizations to notify individuals of an ‘eligible data breach,’ which is defined as when BOTH the following conditions are met:

An individual’s personal information has been subject to unauthorized access, disclosure, or loss; and

The breach is likely to result in serious harm to that individual.

Who Needs To Comply with the Australian Privacy Act?

The Privacy Act applies to all Australian government agencies, businesses, and non-profit organizations with an annual turnover of more than AUD $3 million.

In addition, small businesses and organizations with an annual turnover less than AUD$3 million who fall into the following categories must also comply with the Privacy Act:

What Happens if a Breach of Personal Information is Suspected?

When a breach of personal information is suspected, organizations subject to the Privacy Act must:

Immediately start an investigation to determine the nature, extent, and severity of the breach.

Make all reasonable steps to complete the assessment within 30 calendar days from the day after a breach is suspected.

The Privacy Act is not prescriptive in how an investigation is conducted, but the OAIC recommends a three-stage process:

Initiate to determine if an assessment is necessary, and who is responsible to complete that assessment.

Investigate the breach, including what personal information is affected, who may have had access to the information, and what the likely impacts might be.

Evaluate whether the identified breach is an eligible data breach.

If the breach is deemed an eligible data breach, the individual(s) affected must be notified.

‘Reasonable Steps’ To Protect Personal Data

In January 2015, the OAIC published the Guide to Securing Personal Information to advise organizations on what to implement to protect personal information. Part B of this document outlines a mix of administrative and technical controls across the following nine broad topics, which together are deemed the ‘reasonable steps’ that any entity subject to the Privacy Act is expected to put into place.

Governance, culture, and training

Internal practices, procedures, and systems

ICT security

Access security

Third party providers (including cloud computing)

Data breaches

Physical security

Destruction and de-identification

Standards

In addition, some agencies may be subject to even more protections for personal information, such as security provisions, that may be covered within requirements of other frameworks such as the Australian Government's Protective Security Policy Framework, and the Information Security Manual. Both these documents are designed for governmental agencies, but can be used as guidance for any organization.

To effectively manage cybersecurity risk and satisfy the technical security controls required by this Privacy Act, an organization would conceivably have to procure and deploy multiple point security solutions. In addition, investigating suspected breaches using a myriad of tools can be challenging, especially considering the 30 calendar-day window within which an investigation must be completed. Alternatively, organizations can pursue a unified solution that combines multiple essential security technologies into a single platform with a single management console. AlienVault USM does just that.

How AlienVault USM Helps Support Compliance with the Privacy Act

While many of the APPs focus on administrative controls and process for the collection of personal information, APP 11 (security of personal information) talks to organizations implementing the ‘reasonable steps’ which the above-mentioned OAIC document outlines.

AlienVault USM provides multiple essential security capabilities in a single solution, enabling you to satisfy many of the ‘reasonable steps’ outlined by the OAIC to meet APP 11, as well as accelerate investigations into suspected breaches to meet the 30 calendar-day window. In one unified solution, you get:

Asset Discovery: Know who and what is connected to your cloud, on-premises, and hybrid environments at all times.

Ouronline demo environment, where you can explore the capabilities of AlienVault USM, and see how it can help accelerate your security and compliance efforts.

About the Author:Sacha Dawes, AlienVaultSacha joined AlienVault in Feb 2017, where he is responsible for the technical marketing of the AlienVault Unified Security Management (USM) family of solutions. He brings multiple years of experience from product management, product marketing and business management roles at Microsoft, NetIQ, Gemalto and Schlumberger where he has delivered both SaaS-delivered and boxed-product solutions that address the IT security, identity and management space. Originally from the UK, Sacha lives in Austin, TX.
Read more posts from Sacha Dawes ›